Opening ports and endpoints to a VM in Azure using PowerShell

You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or VM network interface. You place these filters, which control both inbound and outbound traffic, on a Network Security Group attached to the resource that receives the traffic.

Let's use a common example of web traffic on port 80. Once you have a VM that is configured to serve web requests on the standard TCP port 80 (remember to start the appropriate services and open any OS firewall rules on the VM as well), you:

  1. Create a Network Security Group.
  2. Create an inbound rule allowing traffic with:
    • the destination port range of "80"
    • the source port range of "*" (allowing any source port)
    • a priority value of less 65,500 (to be higher in priority than the default catch-all deny inbound rule)
  3. Associate the Network Security Group with the VM network interface or subnet.

You can create complex network configurations to secure your environment using Network Security Groups and rules. Our example uses only one or two rules that allow HTTP traffic or remote management. For more information, see the following 'More Information' section or What is a Network Security Group?

Quick commands

To create a Network Security Group and ACL rules you need the latest version of Azure PowerShell installed. You can also perform these steps using the Azure portal.

Log in to your Azure account:

Login-AzureRmAccount

In the following examples, replace example parameter names with your own values. Example parameter names included myResourceGroup, myNetworkSecurityGroup, and myVnet.

Create a rule. The following example creates a rule named myNetworkSecurityGroupRule to allow TCP traffic on port 80:

$httprule = New-AzureRmNetworkSecurityRuleConfig -Name "myNetworkSecurityGroupRule" `
    -Description "Allow HTTP" -Access "Allow" -Protocol "Tcp" -Direction "Inbound" `
    -Priority "100" -SourceAddressPrefix "Internet" -SourcePortRange * `
    -DestinationAddressPrefix * -DestinationPortRange 80

Next, create your Network Security group and assign the HTTP rule you just created as follows. The following example creates a Network Security Group named myNetworkSecurityGroup:

$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName "myResourceGroup" `
    -Location "WestUS" -Name "myNetworkSecurityGroup" -SecurityRules $httprule

Now let's assign your Network Security Group to a subnet. The following example assigns an existing virtual network named myVnet to the variable $vnet:

$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName "myResourceGroup" `
    -Name "myVnet"

Associate your Network Security Group with your subnet. The following example associates the subnet named mySubnet with your Network Security Group:

$subnetPrefix = $vnet.Subnets|?{$_.Name -eq 'mySubnet'}

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name "mySubnet" `
    -AddressPrefix $subnetPrefix.AddressPrefix `
    -NetworkSecurityGroup $nsg

Finally, update your virtual network in order for your changes to take effect:

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

More information on Network Security Groups

The quick commands here allow you to get up and running with traffic flowing to your VM. Network Security Groups provide many great features and granularity for controlling access to your resources. You can read more about creating a Network Security Group and ACL rules here.

You can define Network Security Groups and ACL rules as part of Azure Resource Manager templates. Read more about creating Network Security Groups with templates.

If you need to use port-forwarding to map a unique external port to an internal port on your VM, use a load balancer and Network Address Translation (NAT) rules. For example, you may want to expose TCP port 8080 externally and have traffic directed to TCP port 80 on a VM. You can learn about creating an Internet-facing load balancer.

Next steps

In this example, you created a simple rule to allow HTTP traffic. You can find information on creating more detailed environments in the following articles: